T-MOBILE VPN Setup Instructions

AnyConnect Client Windows Install

Overview
Download and install the Symantec VIP Access Credential for security codes
Register the credential on T-Mobile’s Self Service Portal
Download and install the AnyConnect client (VIP Access code required)
Run AnyConnect and login using your T-Mobile account and the security code

Requirements
A T-Mobile user account authorized to use AnyConnect
The account must have a working email address, voice phone, or mobile number
Local admin rights on the workstation you are going to install the software
Windows Operating System 7 or higher – 32-bit or 64-bit
T-Mobile is unable to provide installation support on non-T-Mobile owned devices.

Authorization
A manager or above must approve remove VPN access
User account must be a member of the gsm1900 AD group VPN-Network-EIT
Other AD groups grant additional access and can be added with manager
approval as required:

VPN-Network-NMNet Engineering networks

VPN-Network-PCI Protected PCI applications
VPN-Network-DMZ Protected billing and other applications

Check your AD groups at the command prompt with the NET USER command.

C:\> net user userid \DOMAIN

Or with the gsm1900 web page tool: http://gsm-web.internal.t-mobile.com/

Installation
If you have a T-Mobile managed laptop and already have VIP Access installed, then skip down to
Register the Symantec VIP Access Credential ID

Download the Symantec VIP Access software

https://idprotect.vip.symantec.com/desktop/download.v

Select “Download for Windows”.

Follow the download instructions and accept the default values to complete an install.

Register the Symantec VIP Access Credential ID

Please read through the eight steps before logging in to the Self-Service portal

1. Start your Symantec VIP Access

 All Programs 

Your desktop VIP Access will start generating security codes 

2. Open a new browser window and paste in this link to see instructions and the portal.

https://hssp.vidp.t-mobile.com:8233
3. Login with your T-Mobile NT ID and password
4. Get a temporary code for your first time access

Your Symantec VIP

temporary security code is

631126

Sample
SMS text response
If your account does not have email or a phone number you may see this

Contact the Service Desk at 877-878-7326 to add them.

5. Enter your temporary Security Code and click Sign in

6. Select VIP Credential, NOT Computer

7. Register your Credential

Pick a friendly user name

Enter the Credential ID

Enter a Security Code

8. Verify a successful registration

After your first Credential ID is registered, make sure you see your entry in the top section shown by the red
arrow.
 If the top section is blank then you selected computer in step 6.

Click Register by “Register another credential?” to repeat the process.

The next time you login to the Symantec VIP Access Self-Service Portal you will need to
use your registered credential.
Select your credential name and then enter the security code.

If you don’t have a working VIP Access, then click the “Trouble signing in?” button to get a temporary security
code.
You can register up to five Credential IDs.
More information about getting and installing the Symantec VIP Access can be found at Symantec.

https://idprotect.vip.symantec.com/mainmenu.v

If you have a T-Mobile managed laptop and already have the AnyConnect VPN client installed, then
skip down to Start Your Cisco AnyConnect Secure Mobility Client
-----------------------------------------------------------------------------------------------------------------------------------

Connect to the T-Mobile VPN Server to Download the Client

To download the Cisco AnyConnect VPN client from T-Mobile you must have:

Windows Operating System 7 or higher – 32-bit or 64-bit

A GSM1900 domain account authorized to use VPN
A registered Symantec VIP credential ID for security codes

Once you have an account and a regisered VIP Access Credential ID, then connect to the T-Mobile VPN
server to download the client.
https://general.vpn.t-mobile.com

Older web browsers will need to be upgraded. If your web browser gives you an error message or fails to
connect, check the Options/Security settings to ensure TLSv1.2 and higher are enabled.

Enter your GSM1900 user

name and password, also
called a T-Mobile NT ID.

Continue at Privacy Warning and allow changes to computer

Install Cisco AnyConnect Secure Mobility Client
The Cisco software download tries to use Active-X first, and then Java. If both of these fail, you are prompted
to download the install file manually.

1. Click Download to download the AnyConnect application

2. If you get a Java Update prompt, click Update and allow Java to run.

2. If the Java installation fails click OK and continue

3. Click “AnyConnect VPN” to start a Manual Installation

4. Click Run to install AnyConnect

5. Click Next and accept the License Agreement.

6. Click Install, allow changes, and click Finish.

The AnyConnect installation is complete.

Start Your Cisco AnyConnect Secure Mobility Client

 All Programs  Cisco  Cisco AnyConnect Secure Mobility Client AnyConnect Secure Mobility Client

If your destination is blank, enter general.vpn.t-mobile.com and click Connect.

Enter your T-Mobile gsm1900 account username and password and click OK

Enter the Security Code from the VIP Access application and click Continue
 Tip: Click the copy button to the right of the number field to copy and then paste the Security Code.

Acknowledge the banner by clicking Accept

NOTE: Do not use AnyConnect at the same time as other VPNs. It

doesn’t work the First Time

You provide your security code and you get prompted to login again?

• Did you register your credential? Go back and login to the Self-Service portal.
• Did you register your computer by mistake?
o Did you enter a Credentail ID (e.g. VSST4686523) during registration? o
If not, then you registered your computer and not your Credential.
o Login to the self-service portal and try again.
• Are you authorized to use AnyConnect?
o Check your AD group membership – see Authorization section above o

If not, request authorization from your T-Mobile manager Does the

client repeatedly ask you to login without prompting for a security
code?

• Your account may be locked or disabled.

• If after repeated attempts to login without seeing the security code prompt call the
Service Desk at 877 878 7326 and report a problem with your GSM1900 account.
I am Connected, What Now?
Just start accessing your applications to verify you connection.

• No need to select destinations, the client is set for Automatic Gateway Selection.
• No need to select a profile, AD security group memberships does that for you.
• Your access is determined your AD security groups.
• If you cannot access a service, you must contact your T-Mobile manager who can request
and approve additional AD groups for you.

The next time you use the client you will see “Automatic Selection” as the destination.

• Just click connect, then username, password, and security code.

What Options can I set in the Client?

Click the gear at the bottom of the client.

Select the Preferences tab to see your options.

Minimize AnyConnect on VPN connect.

• Hide the client after logon.

Enable automatic VPN server selection is enabled.

 • For advanced users, uncheck this to allow you to select alternate destinations. You can
enter FQDN’s or IP address of alternate destinations.

Block connections to untrusted servers.

• If you are blocked, then there is an SSL certificate issue or DNS issue on the VPN site.
• Uncheck, only if you are accessing a VPN server in a controlled environment. T-
Mobile VPN servers will never need this unchecked.

Select the Statistics tab to see your IP address

Select the Message History tab to see logs for your current VPN session.

This is useful for troubleshooting connectivity and access issues.

Advanced User Information
If you uncheck, Automatic Selection, then you see the default destination profiles T-Mobile configured
for the Automatic Selection. Only West and Central are active as of May 2016.
general.vpn.t-mobile.com Round robin rotation of below locations
west.vpn.t-mobile.com Polaris DC, Wenatchee WA
central.vpn.t-mobile.com Titan DC, Dallas TX
east.vpn.t-mobile.com MSO, Charlotte NC
hawaii.vpn.t-mobile.com MOS, Hawaii HI

You can select one of these or enter a destination of your choice.

If the destination you connect to downloads a profile, that destination will stay in your list. Otherwise

you will need to type in the destination each time you want to connect. Time to Disconnect
Click Disconnect to hang up the VPN session. Any applications using the connection will stop working.

Note the timer at the bottom left corner. The maximum session time is 12 hours.

No alarm or popup can be configured, but you can check here to re-connect before being dropped.
If your session expires, the client disconnects you.